/*
 * Licensed to the Apache Software Foundation (ASF) under one or more contributor license
 * agreements. See the NOTICE file distributed with this work for additional information regarding
 * copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance with the License. You may obtain a
 * copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software distributed under the License
 * is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
 * or implied. See the License for the specific language governing permissions and limitations under
 * the License.
 */

package org.apache.geode.security;

import java.security.Principal;
import java.util.Properties;

import org.apache.geode.LogWriter;
import org.apache.geode.cache.CacheCallback;
import org.apache.geode.distributed.DistributedMember;
import org.apache.geode.distributed.DistributedSystem;

/**
 * Specifies the mechanism to verify credentials for a client or peer. Implementations should
 * register name of the static creation function as the <code>security-peer-authenticator</code>
 * system property with all the locators in the distributed system for peer authentication, and as
 * <code>security-client-authenticator</code> for client authentication. For P2P an object is
 * initialized on the group coordinator for each member during the
 * {@link DistributedSystem#connect(Properties)} call of a new member. For client-server, an object
 * of this class is created for each connection during the client-server handshake.
 *
 * The static creation function should have the following signature:
 * <code>public static Authenticator [method-name]();</code> i.e. it should be a zero argument
 * function.
 *
 * @since GemFire 5.5
 *
 * @deprecated since Geode 1.0, use {@link SecurityManager} instead
 */
public interface Authenticator extends CacheCallback {

  /**
   * Initialize the callback for a client/peer. This is invoked when a new connection from a
   * client/peer is created with the host.
   *
   * @param securityProps the security properties obtained using a call to
   *        {@link DistributedSystem#getSecurityProperties}
   * @param systemLogger {@link LogWriter} for system logs
   * @param securityLogger {@link LogWriter} for security logs
   *
   * @throws AuthenticationFailedException if some exception occurs during the initialization
   */
  void init(Properties securityProps, LogWriter systemLogger, LogWriter securityLogger)
      throws AuthenticationFailedException;

  @Override
  default void init(Properties securityProps) throws AuthenticationFailedException {
    init(securityProps, null, null);
  }

  /**
   * Verify the credentials provided in the properties for the client/peer as specified in member ID
   * and returns the principal associated with the client/peer.
   *
   * @param props the credentials of the client/peer as a set of property key/values
   * @param member the {@link DistributedMember} object of the connecting client/peer member. NULL
   *        when invoked locally on the member initiating the authentication request.
   *
   * @return the principal for the client/peer when authentication succeeded
   *
   * @throws AuthenticationFailedException If the authentication of the client/peer fails.
   */
  Principal authenticate(Properties props, DistributedMember member)
      throws AuthenticationFailedException;

  default Principal authenticate(Properties props) throws AuthenticationFailedException {
    return authenticate(props, null);
  }

}
